| From: | "Merlin Moncure" <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | "Klint Gore" <kgore4(at)une(dot)edu(dot)au> |
| Cc: | Andreas <maps(dot)on(at)gmx(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: How restrict select on a view ? |
| Date: | 2008-12-16 14:35:41 |
| Message-ID: | b42b73150812160635x571eb146o9b30a4a8c78c2af1@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Dec 15, 2008 at 9:38 PM, Klint Gore <kgore4(at)une(dot)edu(dot)au> wrote:
> Andreas wrote:
>>
>> I'd like to have a view only to be used by certain users.
>> The tables are public.
>>
>> Can this only be done by restricting access to the tables?
>>
>
> GRANT/REVOKE works on views
> revoke all on aview from public;
> grant select on aview to user1;
>
> As Raymond pointed out, if user2 knows what the definition of aview is, they
> can just run it against the raw tables.
> e.g.
> create view aview as select * from pg_proc;
> revoke all on aview from public;
> grant select on aview to user1;
> set session authorization user2;
> select * from aview; -- fails
> select * from pg_proc; -- works and gives the same result
Yes, but:
* you can still \d the view (or \d equivalent in sql) which shows it's
definition
* if you can \d view, you can 'create temporary view' with the same
definition on public tables
what does this get you?
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Johan Nel | 2008-12-16 14:57:29 | Re: Lost password |
| Previous Message | salma | 2008-12-16 13:52:38 | Need help - Regarding Data Compression in PostgreSQL. |